The online security and privacy group in Mauritius, Hackers.mu has released a document today mentioning about the security breach for whistle-blowers in Mauritius. Below is the official extract of this document. Hackers.mu strongly recommends that whistleblowers in Mauritius refrain from disclosing cases of corruption through the websites mentioned below, until the security problem is fixed.
Transparency International in Mauritius & ICAC
Transaparency international is a non-governmental organization dedicated to monitoring and reporting about corruption in both the private and public sector. It has a website in Mauritius: where one can report about cases of corruption. S. Moonesamy (Famous IT expert in Mauritius) discovered the same issue in February and reported it on his blog. ICAC is a body corporate that whose stated goal is to “enlist and foster public support in combating corruption” in Mauritius on their website.
Both ICAC and Transparency International (Mauritius Branch) have a web page dedicated to reporting cases. They both ask for the Name, Surname, and in the case of ICAC, additional information such as National ID card number, and email address.
Lack of Secure connection
However, the whistle-blowing pages on both ICAC and TI (Mauritius)do not offer any HTTPS (SSL/TLS) protection that you would normally find on websites where you want to send sensitive information, such as leaked documents of fraud and corruption. If the website supports SSL/TLS, you can see it as a green padlock on your toolbar, when you visit any secure website. This is NOT the case with transparencymauritius.org and icac.mu.
Furthermore, attempt at forcefully switching to a secure connection shows that it is a failure, in the case of TI (Mauritius).
Impact of no Secure connection
Any whistleblower who reported a case of corruption to Transparency International Branch in Mauritius or ICAC, could have his identity compromised, due to the possibility of capturing nonencrypted traffic by a 3rd party monitoring the Internet Traffic. ICTA, the ICT regulatory body in Mauritius, has set up an Internet blackbox to filter against child pornography. However, since it was done in a non-transparent manner, Internet Users in Mauritius have no idea about what else might be monitored.
Even more worrying, any whistleblower who uses his company’s Internet connection to disclose cases of corruption is also susceptible to have his identity compromised due to the lack of security, by an IT manager or administrator.
Recommendation to whistleblowers in Mauritius
Hackers.mu strongly recommends that whistleblowers in Mauritius refrain from disclosing cases of corruption through the above mentioned websites, until the security problem is fixed.
Recommendation to Transparency International Mauritius Branch & ICAC
Hackers.mu recommends that a secure TLS certificate is used for the websites, and that Transparency International & ICAC also recommend Tor to whistleblowers as an additional measure. Tor is a free Internet Anonymising network which is used world-wide by whistleblowers.
Hackers.mu is an organization that aim to protect the privacy and security of Internet Citizens in Mauritius. Hackers.mu promotes Tor in Mauritius, and remains committed to building a more secure Infrastructure for everybody in Mauritius. Our members are listed on https://hackers.mu/, and we are reachable via [email protected] and twitter: https://twitter.com/hackersdotmu.